This rule ensures that RDS DB instances have deletion protection enabled for data security.
Rule | RDS DB instances should have deletion protection enabled |
Framework | NIST 800-53 Revision 5 |
Severity | ✔ Critical |
Rule Description:
RDS DB instances should have deletion protection enabled to ensure compliance with NIST 800-53 Revision 5 security requirements. Enabling deletion protection helps prevent accidental or malicious deletion of DB instances, providing an additional layer of protection and ensuring the integrity and availability of sensitive data.
Remediation Steps:
Troubleshooting Steps (if applicable):
If the deletion protection toggle switch is grayed out or not clickable, it might indicate that the DB instance has automated backups disabled or automated backups are retained only for a specific duration. In such cases, follow these steps to resolve the issue:
Note: If the issue persists or you encounter any other error, it is recommended to consult the AWS documentation or contact AWS Support for further assistance.
Relevant AWS CLI Command (if applicable):
There is no specific AWS CLI command for enabling deletion protection on an RDS DB instance, as this configuration is done through the AWS Management Console. However, you can use the AWS CLI for other AWS operations related to RDS instances, such as creating, modifying, or managing backups.
Please refer to the AWS CLI RDS documentation for a comprehensive list of available commands and their usage.
Compliance:
Enabling deletion protection for RDS DB instances ensures compliance with NIST 800-53 Revision 5 security requirements, specifically control AC-4(5), which states that "The organization [AWS user] disables the capability for [DB instances] to be directly deleted by organizations [AWS users] without the intervention of [AWS indigenous] individuals." By enabling deletion protection, accidental or unauthorized deletion of RDS DB instances can be prevented, addressing the security control requirement.